Compartir a través de

Analytic Rule - Query Scheduling - Sentinel

Miguel Calderón 45 Puntos de reputación
2023-11-10T20:03:29.85+00:00

Dear Team.

I´m trying to join Security Event logs looking for two specific Event ID, one must be 4days ago (Event A,TimeGenerated > Ago(4d)) and the other one 1 hour (Event B, TimeGenerated > Ago(1h)), so when I join to excluded the Users found on Event A.

So, when i run the query everything works, but I´m not sure about what values should i include in the scheduling on the analytic rule. I want to this rule run every hour.


TableA = (
    SecurityEvent
    | where EventID == EventA
    | where TimeGenerated > ago (4d)
);
TableB = (
	SecurityEvent
	| where EventID == EventB
	| where TimeGenerated > ago (1h)
);
TableA
| join kind=  leftanti  (
    TableA
) on TargetUserName
| sort by TimeGenerated desc

User's image

Sin supervisión
Sin supervisión
Etiqueta no supervisada por Microsoft.
220 preguntas
Respuesta aceptada
  1. Givary-MSFT 35,456 Puntos de reputación Empleado de Microsoft
    2023-11-16T10:17:50.6133333+00:00

    @Miguel Calderón Thank you for reaching out to us, regarding your ask did check with my team the values in the query scheduling looks fine to me, as you have put 4 days, in the lookup, cause that parameter determines the "look back" period for your analytic query and frequency is also correctly defined (every 1 hour) or probably better to use TimeGenerated >= ago(4d), since you need the whole 4 days back data.

    Let me know if you have any further questions, feel free to post back.

    Please remember to "Accept Answer" if answer helped, so that others in the community facing similar issues can easily find the solution.

    1 persona ha encontrado útil esta respuesta.

0 respuestas adicionales

Ordenar por: Muy útil
Muy útil Más reciente Más antiguo

Su respuesta

Las respuestas se pueden marcar como respuestas aceptadas por el autor de la pregunta, lo que ayuda a los usuarios a conocer la respuesta que resolvió el problema del autor.